Skip to content

Obfuscation and Xaml/Baml

August 16, 2007

Thanks to a forum post "Code Protection and Licensing of WPF Applications", I write this response:

Baml is similar to IL in that it encodes type and member names.  Unfortunately, we haven’t documented baml like IL is, so obfuscators can’t easily obfuscate WPF applications.

I believe the best approach today is to exclude from obfuscation any types/members which you define that you need to use in Xaml.  If any type/member names change between creating the assembly (with baml) and runtime, the baml hasn’t been updated to refer to the new types.

Unfortunately, we don’t have the baml format published (as we think we will need to change it) and don’t have an adequate API to help obfuscators.

We are investing to improve this in the future.  Until then, I’d love to hear:

  1. best practices to deal with this limitation today
  2. feedback about how critical it is to improve this
  3. any other feedback in this area



From → XAML (non-UI)

  1. Bill permalink

    Hi Rob,
    I am a control developer and have discussed the WPF obfuscation issue with the Dotfuscator folks.  They have also told me that Microsoft didn\’t publish BAML format specs, thus making obfuscation near impossible for them.  Microsoft really must get working on this to provide them what they need, otherwise it\’s a simple matter to steal any third-party code.  Please help support us developers who use the WPF platform by helping us protect our code!  This is critical for companies like mine that rely on building innovative code libraries.  Thanks for listening.

  2. Rob permalink

    Yes, we haven\’t made it easy for the obfuscation companies.  As a control author, you can\’t obfuscate the names of public APIs, however, you should be able to obfuscate everything else.
    Thanks for your comment.

  3. Sorin permalink

    I pefectly agree with Bill! We are also a component development company and we are very affraid to publish a suite of WPF controls that we\’ve just developed due to the fact that obfuscation is not possible at an appropriate level.

  4. Tom permalink

    There is an additional problem beyond what\’s been discussed here so far. All of the obfuscators I\’ve looked at so far require you to merge your assemblies (EXE and DLL\’s) into a single load module before you obfuscate the result. Normally this is done with ILMerge. The problem is that ILMerge won\’t merge WPF assemblies. I\’ve discussed this with the ILMerge author and at the present time he doesn\’t have the time to fix the problem for WPF – so even if the details are published, many (all?) of the obfuscators still will not be usable on projects with more than one assembly. If anyone has solved this problem, I\’d sure like to hear from them.

  5. Unknown permalink

    Welcome to enter (wow gold) and (wow power leveling) trading site, (wow gold) are cheap, (wow power leveling) credibility Very good! Quickly into the next single! Key words directly to the website click on transactions! -144657972550229

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: